[Summit] TLS s2s interconect hackfest

Dave Cridland dave at cridland.net
Wed Jan 27 08:46:32 CST 2010


On Wed Jan 27 14:23:33 2010, Peter Saint-Andre wrote:
> On 1/27/10 6:25 AM, Dave Cridland wrote:
> > On Wed Jan 27 13:03:50 2010, Peter Saint-Andre wrote:
> >> On 1/27/10 6:00 AM, Dave Cridland wrote:
> >> > On Wed Jan 27 12:44:05 2010, Diana Cionoiu wrote:
> >> >> Hello,
> >> >>
> >> >> Is there ANYONE interested to test TLS s2s during the Friday  
> hackfest?
> >> >
> >> > We can certainly do that.
> >>
> >> +1. This is a major gap in testing and deployment, perhaps  
> because it's
> >> not visible to users.
> >>
> >>
> > Right, that's true. It's also very easy to get wrong in various  
> weird
> > ways. (My favourite remains the case where you decide that the  
> peer
> > you're connecting to doesn't have a valid certificate, and  
> therefore
> > instead of using the EXTERNAL you're offered, you insist on doing
> > dialback to authenticate yourself.)
> 
> That is rather strange from the PKI perspective, but it's always  
> seemed
> like a good fallback from the XMPP perspective. Or is it? :)

It isn't sane at all.

The initiator ends up trusting the receiver without any  
authentication outside of a trust in DNS, which it had anyway - it's  
refusing to use the credentials that the receiver is happy to trust,  
however, for no apparent reason.

Falling back to dialback when your X.509 credentials aren't accepted  
is of course a sane fallback for XMPP. Falling back when they *are*  
accepted is weird.

Dave.
-- 
Dave Cridland - mailto:dave at cridland.net - xmpp:dwd at dave.cridland.net
  - acap://acap.dave.cridland.net/byowner/user/dwd/bookmarks/
  - http://dave.cridland.net/
Infotrope Polymer - ACAP, IMAP, ESMTP, and Lemonade


More information about the Summit mailing list